[cabfpub] Unmanaged Domain Validated (UDV) Certificates

Ryan Sleevi sleevi at google.com
Fri Apr 22 22:34:42 UTC 2016

On Fri, Apr 22, 2016 at 3:23 PM, Rich Smith <richard.smith at comodo.com>

> Ryan,
> I appreciate your position, and it may even be a viable one where malware
> and warez are concerned.  I'm not entirely convinced that it is, but at
> least there are a billion and one AV products out there to try to address
> those problems.  But what about phishing and fraud.  I'd love for there to
> be a better, more viable solutions widely available to end users to guard
> against these things, but there currently aren't any.
> -Rich

There are a number of solutions widely available to end users to help
protect against these things - SmartScreen and SafeBrowsing are too
examples, The billion and one AV products out there just collectively add
to the insecurity (as my colleague, Tavis Ormany, keeps pointing out with
Project Zero bugs).

However, I do not feel it is remotely in the realm of viability or
advisability to suggest that certificates are the means to guard against
phishing and fraud. We know that certificate revocation doesn't work under
adversarial attack, nor is the significant performance penalty justified by
the non-protection it provides under non-adversarial attack.

Put alternatively: Such proposals (that rely on certificates to protect
against phishing and fraud) are, effectively, proposals to "look up in an
online reputation service the hostname you're going to, and not load the
page until that reputation service responds".

If you haven't noticed, browsers have outright rejected that, on privacy,
security, and performance grounds. While I can understand why CAs may wish
to promote such systems, especially when, due to the misconfiguration and
considerable bloat of CRLs, it effectively necessitates OCSP and thus
provides real-time metrics that a CA can (and CAs have) sold as advertising
or tracking services, but that's not a good outcome for anyone.

I appreciate the desire to solve phishing and fraud online - after all,
Google has invested *considerable* efforts in this space and is arguably
the industry leader. But that doesn't mean that certificates are the
technology to accomplish this, because they really serve a fundamentally
different purpose - binding names to cryptographic identities - and the
notion of reputation or trustworthiness or non-evilness really are entirely
separate problems with their own complexities, and for which certificates
are extremely ill-suited to address.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160422/b075d533/attachment-0003.html>

More information about the Public mailing list